Closed Bug 1359914 Opened 7 years ago Closed 7 years ago

Add ssp-buffer-size compiler flag

Categories

(Core :: Security, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [sg:want])

This bug was created as a clone of Bug 620058 which contains more context.
Depends on: 1359918
Depends on: 1359920
Depends on: 1359926
Depends on: 1359928
I don't think this is necessary. My understanding is that |ssp-buffer-size| was used to control the heuristic |-fstack-protector| used to decide which stack-allocated buffers needed protection. I think with |-fstack-protector-strong| this doesn't do anything. Have I misunderstood?
Flags: needinfo?(tom)
I didn't know, but google led me to https://lwn.net/Articles/584225/ which agrees with you.

-fstack-protector protects functions with a local array of 8 bytes or more. ssp-buffer-size can be used to lower that (e.g. to 4).  

-fstack-protector-strong protects functions with any size local array, or a few other conditions.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(tom)
Resolution: --- → INVALID
I guess what we could do, though, is try and make a case for turning on fstack-protector with a tuned ssp-buffer-size on release builds, and basically tuning the buffer-size so the performance is acceptable enough to land the change....

But this amount of effort for just Linux (and even Mac) for the limited security provided might not be worth it.
Depends on: 1360299
Depends on: 1360300
Depends on: 1360301
No longer depends on: 1359918
No longer depends on: 1360301
No longer depends on: 1360300
No longer depends on: 1360299
No longer blocks: 1359905
No longer depends on: 1359928
No longer depends on: 1359920
No longer depends on: 1359926
You need to log in before you can comment on or make changes to this bug.